DNSSEC DS record upload -HOWTO- ??
Hello Folks
I'm setting up a DNSSEC environment using RHEL server with BIND as my primary/master DNS server and delegating (via CNAMES) intelligent resolution( through wide-ips) to my GTM box.
I have set one zone (3gnetworks.cr.) with standard records (SOA, NS, A) BUT i have not done any DNSSEC setup at the server level.
I already went through the whole process on configuring DNSSEC on my GTM box so if i query directly the GTM ( 192.168.20.253) for the wide-ip configured on the box works as expected!
[glenn@MyDNS ~]$ dig @192.168.20.253 misubasta.3gnetworks.cr +dnssec
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @192.168.20.253 misubasta.3gnetworks.cr +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2837
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2048
;; QUESTION SECTION:
;misubasta.3gnetworks.cr. IN A
;; ANSWER SECTION:
misubasta.3gnetworks.cr. 30 IN A 192.168.20.6
misubasta.3gnetworks.cr. 30 IN RRSIG A 7 3 30 20130716080024 20130709080023 54335 3gnetworks.cr. TNElaYQLSBBRaWBtZmp4r0s1C+KHmMB4vAJivA+biXewUr6ToEXLD6xL PKQxvPDByJA85OkltII1lrfw49B0EDs9ZEYGrDQUr8D/U5VWvv5+ZQYw EmR4icuSeHedw+8bNECvMFtCa4ZC38ANUCO0ZfVq3KmOuJjZYF3WNqKL Wmo=
++++++++++++++++++++end of output++++++++++++++++++++++++++++++++++++++
BUT if I query my primary DNS server (192.168.20.250)
[glenn@MyDNS ~]$ dig @192.168.20.250 misubasta.3gnetworks.cr +dnssec
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @192.168.20.250 misubasta.3gnetworks.cr +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64191
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;misubasta.3gnetworks.cr. IN A
;; ANSWER SECTION:
misubasta.3gnetworks.cr. 38400 IN CNAME wideip.misubasta.3gnetworks.cr.
wideip.misubasta.3gnetworks.cr. 30 IN A 192.168.20.6
;; AUTHORITY SECTION:
wideip.misubasta.3gnetworks.cr. 38400 IN NS gtm2.wideip.misubasta.3gnetworks.cr.
wideip.misubasta.3gnetworks.cr. 38400 IN NS gtm1.wideip.misubasta.3gnetworks.cr.
I dont get the RRSIG Record for misubasta.3gnetworks.cr
What I think Im missing is the DS record I need to upload from my GTM to my parent zone ( in this case 3gnetworks.cr)
if I take a look at the DSSET file i can see the DS record
[root@malpais:Active:Standalone] config cat /config/gtm/dsset-3gnetworks.cr
3gnetworks.cr. 86400 IN DS 9921 7 1 1936bf2f16e3569dd55d756e3ff4b82998882f5b
{key = /Common/3gKSK, gen = 1}
MY QUESTION WOULD BE:
How to upload the DS record to my BIND server to establish the chain of trust?
Thanks in advanced folks!!!